[VIM] Re: Plans security question (fwd)

security curmudgeon jericho at attrition.org
Thu Jun 30 17:18:04 EDT 2005

---------- Forwarded message ----------
From: Lloyd Dalton <daltonlp at gmail.com>
To: security curmudgeon <jericho at attrition.org>
Date: Thu, 30 Jun 2005 11:21:16 -0500
Subject: Re: Plans security question


   Thanks for the note.  I actually wasn't aware of the note on
securia.  I suspect it was NoseyNick who posted it (he discovered the

   The sql injection / xss vulnerability you mention was actually fixed
in 6.7.1 (not in 6.7.2).  The version on securia is incorrect.  It is
a separate issue from the password exposure issue.  It also wasn't
described very well on the main page (it should say "Fixes for several
potential sql injection and cross-site scripting vulnerabilities")

   Hope this helps,

- Lloyd Dalton

On 6/30/05, security curmudgeon <jericho at attrition.org> wrote:
> Hi,
> I saw the news entry dated Apr 30, 2005 for the SQL bug that could
> disclose the mySQL password. Updating to 6.7.1 fixes this.
> I also saw Secunia released information regarding an SQL injection attack
> in plans.cgi (http://secunia.com/advisories/15854/) on Jun 29, 2005. Their
> note says upgrading to 6.7.2 fixes this bug.
> I did not see mention of the plans.cgi SQL injection on your news site and
> was wondering if these really refer to the same vulnerability, or if this
> is two seperate issues?
> Thanks for any clarification!
> Brian

More information about the VIM mailing list